[sudo-users] Disabling "sudo su" but allow everything else?

Paul Cantle paul at cantle.me
Mon Aug 2 15:14:34 EDT 2010 

Hi All,

I'd also look to disable /bin/vi (without the /etc/sudoers flag by adding it to the RESTRICTED alias) as users will be able to shell out of vi by default and get a root shell anyway (which will kind of make !SHELLS irrelevant).

Just my 2c worth.

-----Original Message-----
From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Jimmy Crackcorn
Sent: 02 August 2010 19:51
To: Rick_Steele at oxy.com
Cc: sudo-users at sudo.ws
Subject: Re: [sudo-users] Disabling "sudo su" but allow everything else?

Perfect, thanks Rick!

On Mon, Aug 2, 2010 at 11:04,  <Rick_Steele at oxy.com> wrote:
> This works for me. See the entries for "RSS-TAW" and "LOCALACCTS".  We use Centrify here and the RSS-TAW is a group of AD Accounts.
>
>
>
>
>
> Cmnd_Alias RESTRICTED= /bin/vi /etc/sudoers, /bin/su - root, /bin/su - 
> , /usr/sbin/visudo Cmnd_Alias SHELLS= /bin/sh, /bin/ksh, /bin/bash, 
> /bin/zsh, /bin/csh, /bin/tcsh, /usr/bin/login, /usr/bin/su Defaults  mailto="Linux_Unix_Admin at oxy.com"
> Defaults  mail_no_perms
> Defaults  mail_no_user
> Defaults  mailerpath=/usr/sbin/sendmail Defaults  mailsub="*** 
> executed command via sudo on %h ***"
> Defaults  mailerflags="-t"
> %admin          ALL=(ALL)   ALL
> User_Alias      LOCALACCTS = xxxxxxx
> LOCALACCTS      ALL = NOPASSWD: ALL , !SHELLS, !RESTRICTED
> ##ohollic1
> %RSS-TAW   ALL=(ALL)   ALL , !SHELLS, !RESTRICTED
>
>
> Rick Steele
> Consultant, Enterprise Server Operations OXY Inc.
> 713-215-7836 Office; 832-744-5824 Cell, 713-215-7170 FAX THIS 
> COMMUNICATION IS ONLY FOR THE USE OF THE INTENDED RECIPIENT. IT CONTAINS CONFIDENTIAL INFORMATION AND TRADE SECRETS OF OCCIDENTAL PETROLEUM CORPORATION OR ITS AFFILIATED CORPORATIONS. UNAUTHORIZED USE, DISTRIBUTION, OR DISCLOSURE IS PROHIBITED. IF YOU ARE NOT THE INTENDED RECIPIENT PLEASE NOTIFY THE SENDER.
>
>
> -----Original Message-----
> From: sudo-users-bounces at courtesan.com 
> [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Jimmy Crackcorn
> Sent: Monday, August 02, 2010 11:59 AM
> To: sudo-users at sudo.ws
> Subject: [sudo-users] Disabling "sudo su" but allow everything else?
>
> I know it's not the preferred way to go about doing things but I've 
> got a group of people that ssh into systems with a designated user 
> account and I want to allow them to do everything on the system other 
> than doing a 'sudo su' and 'sudo su -'.  I've tried the following but 
> can't seem to get it to work:
>
>  User_Alias      OKGUYS = userone, usertwo
>  Cmnd_Alias NON=!/usr/bin/sudo su, !/usr/bin/sudo su -
>  OKGUYS ALL = NOPASSWD: ALL, NON
>
> Is there a way to actually do this?
>
> Cheers!
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws> For list information, 
> options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>
____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws> For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list